Perl 6 - the future is here, just unevenly distributed

IRC log for #salt, 2015-04-26

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:04 fusionx86 joined #salt
00:08 zwi joined #salt
00:13 cedwards joined #salt
00:14 cedwards I don't see it in the documentation, but does the grains module support querying multiple grains?
00:15 cedwards so far all I can tell is all grains (grains.items) or one grain (grains.get / grains.item)
00:17 keltim cedwards, it would just be a jinja "and" condition
00:17 keltim in a state file, anyway
00:18 keltim don't *think* the grains facility supports multiple matching, but you can do it elsewhere
00:18 keltim wait, yes it does
00:19 keltim cedwards, http://docs.saltstack.com/en/latest/topics/targeting/compound.html
00:20 keltim though that even is not the grains module per se
00:20 cedwards well, yeah, that is supported but I'm not trying to match on multiple grains I want to output multiple grains.
00:21 cedwards like, 'salt '*' grains.get foo,bar,baz
00:21 cedwards essentially i want to filter the grains output to a limited set
00:22 cedwards looks like i might needto do some code diving
00:24 keltim almost certain you can feed it a python dict there
00:27 dramagods joined #salt
00:28 keltim oh
00:28 keltim cedwards, on cli, as easy as "salt '*' grains.item os osrelease oscodename"
00:28 cedwards oh really? i guess i didn't try that lol
00:29 Vr-Jack got too stuck on .get didn't ya? :)
00:29 cedwards I did
00:29 Vr-Jack don't feel bad. so did I. lol
00:31 cedwards hmm.. something still isn't working. that should work for nested dict items too i assume?
00:32 Vr-Jack salt house state.sls digtrench pillar='{distance: 100}'
00:32 Vr-Jack hmmm, not working
00:32 keltim yeah, .get is one value, .item one or more ... didn't even know about .append and .filter_by
00:32 dramagods joined #salt
00:34 cedwards looks like a patch may be in order
00:34 Vr-Jack looks like get does nested dict, but item does not
00:36 keltim oh, there is "delimiter" for nested dicts now, cool, that actually solved one of our problems
00:36 keltim s/solved/solves
00:42 zwi joined #salt
00:45 DYNamo057 joined #salt
00:46 DYNamo057 left #salt
00:47 c10 joined #salt
00:49 blacked joined #salt
00:53 kaos01 joined #salt
00:54 bhosmer joined #salt
00:55 yomilk joined #salt
01:00 cpowell joined #salt
01:06 cedwards little code diving and now I can query multiple nested values with grains.get
01:06 cedwards i love it when the code comes together
01:08 ktosiek joined #salt
01:09 scbunn joined #salt
01:22 huleboer joined #salt
01:24 cberndt joined #salt
01:38 zwi joined #salt
01:52 thehaven_ joined #salt
01:54 SaveTheRb0tz joined #salt
01:55 HoloIRCUser1 joined #salt
01:55 wintamut1 joined #salt
01:56 davidbanham joined #salt
01:56 tedbot joined #salt
01:56 yomilk joined #salt
01:56 KoFFiE_ joined #salt
01:56 g3cko_ joined #salt
01:56 crop joined #salt
01:57 Xiol joined #salt
01:57 _Cyclone_ joined #salt
01:57 sirtaj_ joined #salt
01:58 morsik_ joined #salt
01:59 douardda joined #salt
01:59 dunz0r joined #salt
01:59 dendazen joined #salt
01:59 kaos01 joined #salt
02:00 arif-ali joined #salt
02:01 tzero joined #salt
02:01 bfoxwell joined #salt
02:01 troyready joined #salt
02:02 tedbot left #salt
02:02 randomuser joined #salt
02:09 fusionx86 joined #salt
02:09 zwi joined #salt
02:10 yomilk joined #salt
02:11 cberndt joined #salt
02:16 zwi joined #salt
02:24 b33kar joined #salt
02:26 b33kar hey all, I'm attempting to setup salt in a multi domain environment and running into some problem with minion to master comms
02:27 b33kar i've setup the resolv.conf to point to my master ip and the master will only auth with itself
02:30 b33kar i have also set my firewall to allow both 4505 and 4506 tcp to pass through and still no dice
02:32 zwi joined #salt
02:35 pcn b33kar: have you run tcpdump to see where the failure lies?
02:36 c10 joined #salt
02:36 b33kar ok pcn, i'll run that and see what i get
02:44 michelangelo joined #salt
02:49 lictor36 joined #salt
02:49 scbunn joined #salt
02:49 MaliutaLap joined #salt
02:49 MaliutaLap left #salt
02:53 malinoff joined #salt
02:54 Rockj joined #salt
02:55 b33kar so, running tcpdump i get no traffic for salt. Really just the regular arps and dns queries
02:56 b33kar trying to ssh from minion to master fails as well as from master to minion lol
02:59 writtenoff joined #salt
03:00 favadi joined #salt
03:02 zwi joined #salt
03:02 bhosmer joined #salt
03:10 fusionx86 joined #salt
03:11 rnts_ joined #salt
03:12 cberndt joined #salt
03:30 fusionx86 joined #salt
03:31 wm-bot48 joined #salt
03:35 JlRd joined #salt
03:38 zircote joined #salt
03:44 zircote joined #salt
03:46 Mattisdada joined #salt
03:49 zircote joined #salt
03:51 bemehow joined #salt
04:12 kaos01 joined #salt
04:13 bemehow joined #salt
04:24 c10 joined #salt
04:39 MaliutaLap joined #salt
04:39 MaliutaLap left #salt
04:41 echo joined #salt
04:42 pheer1 joined #salt
04:47 keltim oh my ... ->   "i've setup the resolv.conf to point to my master ip and the master will only auth with itself"
04:57 ageorgop joined #salt
05:03 bhosmer joined #salt
05:10 aqua^mac joined #salt
05:11 MatthewsFace joined #salt
05:14 JoeHazzers keltim: where's that from?
05:17 lictor36 joined #salt
05:18 otter768 joined #salt
05:19 otter768 joined #salt
05:20 otter768 joined #salt
05:22 MatthewsFace joined #salt
05:32 keltim just above ...
05:32 keltim prob off your screen
05:32 keltim he left ...
05:32 keltim god knows what he was doing :)
05:34 keltim I was going to suggest he employ autoscaling docker containers to massively parallelize his /etc/resolv.conf
05:39 MatthewsFace joined #salt
05:40 c10 joined #salt
05:48 jonlangemak joined #salt
05:50 MatthewsFace joined #salt
05:52 MatthewsFace joined #salt
05:56 stoogenmeyer joined #salt
06:14 radd joined #salt
06:16 dh joined #salt
06:36 cberndt joined #salt
06:40 solidsnack joined #salt
06:45 blacked joined #salt
06:46 jxm_ joined #salt
06:53 linjan joined #salt
07:04 bhosmer joined #salt
07:04 I3olle joined #salt
07:06 JlRd joined #salt
07:06 blacked joined #salt
07:07 aqua^mac joined #salt
07:11 c10 joined #salt
07:13 markm joined #salt
07:17 linjan joined #salt
07:18 yomilk joined #salt
07:20 markm_ joined #salt
07:26 thehaven joined #salt
07:33 solidsnack joined #salt
07:34 markm_ joined #salt
07:40 chiui joined #salt
07:48 aqua^mac joined #salt
07:55 blacked joined #salt
08:00 kaos01 joined #salt
08:00 markm__ joined #salt
08:06 markm joined #salt
08:10 teogop joined #salt
08:13 yomilk joined #salt
08:15 linjan joined #salt
08:26 markm__ joined #salt
08:40 markm joined #salt
08:51 otter768 joined #salt
08:58 randomuser joined #salt
09:04 echo joined #salt
09:05 bhosmer_ joined #salt
09:06 stoogenmeyer_ joined #salt
09:12 markm__ joined #salt
09:12 ndrei joined #salt
09:13 joeto joined #salt
09:19 bhosmer_ joined #salt
09:23 markm joined #salt
09:35 bluenemo joined #salt
09:40 peters-tx joined #salt
09:42 a-salter joined #salt
09:46 radd joined #salt
09:48 bhosmer joined #salt
10:11 Furao joined #salt
10:31 JPT joined #salt
10:35 Mattisdada joined #salt
10:36 Mattisdada Hi, Saltstack newbie, how does one get the distro version. Ie, finding "precise" from Ubuntu?
10:39 faust joined #salt
10:41 codehotter Mattisdada: I'm also a salt newbie, but have you tried listing the grains data to see if what you want is in there?
10:42 Mattisdada I have not, good idea
10:42 Mattisdada Thanks
10:43 linjan joined #salt
10:49 Mattisdada It was " oscodename" in grains, thanks agin
10:52 otter768 joined #salt
11:11 yomilk joined #salt
11:22 chiui joined #salt
11:22 bhosmer joined #salt
11:24 berrty joined #salt
11:24 JoeHazzers <keltim> I was going to suggest he employ autoscaling docker containers to massively parallelize his /etc/resolv.conf
11:24 JoeHazzers lel
11:33 berty_ joined #salt
11:42 Berty__ joined #salt
11:43 keltim all managed via pillar and reactor of course
11:44 keltim with an smtp returner that emailed the next docker instance telling it to start
11:44 JoeHazzers keltim: don't forget installing zookeeper!
11:44 keltim oh definitely! where does ZMQ come in?
11:44 keltim besides salt
11:45 keltim I mean, you need a new protocol for this, right?
11:45 keltim I only joke 'cause I do see people doing some seriously comical convoluted things with salt
11:46 keltim more and more often, mostly reddit
11:46 JoeHazzers i can probably come up with a valid use case for deploying something like consul alongside salt, but i also want to do convoluted things with salt :(
11:46 JoeHazzers keltim: any good examples? :D
11:47 keltim http://www.reddit.com/r/saltstack/comments/2z84iw/salt_master_in_docker_behind_haproxy/
11:48 JoeHazzers wait what
11:48 JoeHazzers why not just use environments and external auth
11:48 keltim and there's people encouraging him!
11:48 keltim I know
11:49 keltim that's like a solution in search of a problem
11:49 JoeHazzers i've done that before, *in the lab*
11:50 JoeHazzers you know... you get your hands on docker and want to make it do things
11:51 linjan joined #salt
11:51 keltim there was someone in here yest. that refused to use his hypervisors (KVM) provided dhcp and dns service for some reason and insisted on inventing this bizzaro pillar scheme to have minions check if dns was available before doing XYZ
11:52 keltim and having salt do things with resolv.conf, which is one thing I'd not manage with salt
11:53 keltim since using dhcp is better anyway, let salt manage dhclient
11:53 al joined #salt
11:55 ninkotech__ joined #salt
11:58 keltim I mean, that guy could clearly just use many ip addresses on HAproxy to solve his ports "problem" but I didn't want to suggest. If he doesn't know that, how can he know how to set up HAproxy?
12:03 malinoff joined #salt
12:10 JoeHazzers keltim: well, he could be new to it, or maybe he's just been told "just do it" by management, or he's messing around and lying about it being for teams?
12:14 markm joined #salt
12:15 Furao joined #salt
12:19 aquassaut joined #salt
12:21 tkharju joined #salt
12:25 faust joined #salt
12:29 Vr-Jack keltim: I still have to change a config, no matter what to move the resolver to the dns vm's once they are built. state tracking still matters.
12:29 Vr-Jack dhcp or static resolv.conf, it's still a change
12:32 Vr-Jack the dns example is just an easy one
12:34 aqua^mac joined #salt
12:37 keltim Vr-Jack, well, I'm of the opinion that you're creating a bootstrapping problem for yourself by not using the services provided by the hypervisor ... that's how it is designed to work. Nor am I sure why, since KVM is managing the memory, cpu, disk and everything else, that managing core net services is any sort of problem for anyone.
12:38 keltim at any rate, I'm tired of talking about it
12:38 yomilk joined #salt
12:39 Vr-Jack keltim: my paranoia, honestly. The vm's don't have access to the vmhost. lol
12:40 Vr-Jack but consider all the examples where service setup has dependency on db setup. My db is on a different minion. Same issue. multi-minion state tracking is needed.
12:40 keltim well, sending out a broadcast and letting KVM tell it what to do isn't in the realm of "access to the vmhost"
12:41 keltim Vr-Jack, you know, no one else checks those things, in non-virt environments, they just fail if it isn't available, which is about the only sensible thing one can do
12:42 keltim the user says "wtf?" in either case
12:44 Vr-Jack Well, if that were the case, we wouldn't bother with dependencies in the sls files, and all our examples of db dependencies wouldn't exist. I'm just working around to extend that to a multi-minion environment, which is a natural extention. Technically, if I knew python, I'd just patch the code. :P
12:44 keltim in any case, if you really must, you could run some process on the dependency which would announce when the dependency was ready (to something relevant), rather than use states
12:45 keltim so that could tell reactor to do something. trying to use the master to determine that is really convoluted
12:48 keltim if you need a message passing sort of bootstrap, then I would say do it on the dependency itself, don't make salt attempt to pretend to pass messages ...
12:48 bhosmer joined #salt
12:50 Vr-Jack Well, the master should be maintaining a last known state dict for the minions to reference. using reactor to maintain a pillar of such is just a slight roundabout of what the internal code should be doing.
12:51 Vr-Jack in this case, I'll have a reactor that modifies pillar/base/states.sls and then setup "watch states" in the minions for services I want to watch and send an event back to reactor.
12:52 keltim it's easy enough to add a scriptlet to /etc/ifup.d/ethX or what ever to check, say dns, and inform reactor with salt-call event.send dns works dude
12:52 Vr-Jack easy enough to do a state that does event.send once the dns service is started too.
12:53 Vr-Jack or the db is updated with x creditials
12:53 otter768 joined #salt
12:55 edulix joined #salt
12:55 edulix hello
12:56 Vr-Jack oh, well. I'll worry about it later. Gotta get back to digging trenches before the storms come in. :)
12:57 stoogenmeyer joined #salt
12:57 edulix now, this might sound crazy, but.. has anyone tried to use salt to implement a tasks workflow mechanism? something like sequential, synchronous, parallel tasks
12:57 stoogenmeyer hey guys, whats wrong with this reactor file ? http://pastebin.com/zfMYQ47X
12:57 edulix declaratively :P
12:57 stoogenmeyer i dont understand why it would fail to render
12:57 stoogenmeyer I'm definitely sending the required data['env'] in the event
12:58 echo joined #salt
12:58 keltim huh. stoogenmeyer, name collision? what does it say?
12:59 tobias2 joined #salt
13:00 stoogenmeyer it doesn't say anything past the [ERROR   ] Failed to render <file_path>
13:00 keltim pass it though some yaml validator?
13:00 stoogenmeyer tried running with salt-master -l debug (as specified in the reactor docs) but it still did not say much past that
13:00 stoogenmeyer keltim, ok will do
13:00 tkelley joined #salt
13:01 keltim I think salt has yaml validation built in somewhere
13:01 keltim I mean for debugging dry runs
13:01 txomon joined #salt
13:01 keltim other than like running the state with test=true
13:01 stoogenmeyer tried a yaml validator.. it doesn't like the {{data['env']}}
13:02 keltim yah that's jinja, right?
13:02 * keltim is not a jinja ninja
13:03 stoogenmeyer yea dont you use it too?
13:06 lictor36 joined #salt
13:06 dendazen joined #salt
13:08 keltim yes, just not as effectively as it could be
13:10 Vr-Jack edulix: besides using orchestrator?
13:12 stoogenmeyer so can anyone advise how to debug why reactor can't render an sls file ?
13:18 Vr-Jack stoogenmeyer: docs say best method is to run master in foreground with debug logging enabled
13:19 huleboer joined #salt
13:20 stoogenmeyer Vr-Jack: thats what i did..
13:20 stoogenmeyer I just found the problem, inside of a reactor sls file, I had to access the data I sent by going into data['data']
13:20 stoogenmeyer Also, don't try outputting a dict there, because it'll fail. You have to reach all the way to specific values
13:26 fxhp joined #salt
13:27 JDiPierro joined #salt
13:30 Whissi joined #salt
13:32 ageorgop joined #salt
13:39 yomilk joined #salt
13:44 amcorreia_ joined #salt
13:44 bhosmer joined #salt
13:46 evle joined #salt
13:49 _Cyclone_ joined #salt
14:01 ndrei joined #salt
14:04 CeBe joined #salt
14:07 SpX joined #salt
14:08 ageorgop joined #salt
14:11 ndrei joined #salt
14:12 ageorgop1 joined #salt
14:20 ndrei joined #salt
14:36 subsignal joined #salt
14:39 APLU joined #salt
14:39 fusionx86 joined #salt
14:50 teogop joined #salt
14:54 otter768 joined #salt
14:55 subsignal joined #salt
15:03 thayne joined #salt
15:23 joehh joined #salt
15:28 yomilk joined #salt
15:30 ndrei joined #salt
15:38 MaliutaLap joined #salt
15:40 ageorgop joined #salt
15:40 chiui joined #salt
15:41 kzrl joined #salt
15:45 bhosmer joined #salt
15:52 wwwBUKOLAYcom joined #salt
15:53 sandah joined #salt
15:53 otter768 joined #salt
15:59 dendazen joined #salt
16:01 markm_ joined #salt
16:06 hasues joined #salt
16:06 hasues left #salt
16:08 markm_ joined #salt
16:08 radd joined #salt
16:10 viq joined #salt
16:12 markm__ joined #salt
16:18 markm_ joined #salt
16:22 thayne joined #salt
16:23 markm__ joined #salt
16:23 irctc269 joined #salt
16:29 elfixit1 joined #salt
16:30 otter768 joined #salt
16:31 ckao joined #salt
16:32 echo joined #salt
16:36 thayne joined #salt
16:42 markm__ joined #salt
16:45 markm_ joined #salt
16:47 Diaoul joined #salt
16:53 huleboer joined #salt
16:55 markm__ joined #salt
17:00 yomilk joined #salt
17:03 markm__ joined #salt
17:14 markm joined #salt
17:19 subsignal joined #salt
17:25 MTecknology joined #salt
17:31 markm joined #salt
17:33 markm_ joined #salt
17:38 scoates joined #salt
17:46 bhosmer joined #salt
17:47 linjan joined #salt
17:50 bVector anyone using saltstack with aws?
17:50 bVector I'm thinking about trying out the s3 integrations
17:51 markm joined #salt
17:52 clintberry joined #salt
17:53 keltim bVector, yes
17:54 keltim bVector, wondering, do you have any issues with minions reporting slowly, or erratically using the std. returner? also, is the job cache (in /var) on ebs or ssd?
17:55 bVector havent seen any issues with slow reporting, but all my minions are in the same AZ
17:55 bVector and I use GP SSD for all my instances
17:56 keltim bVector, I think SSD might actually help a lot, cause of the job cache
17:56 bVector I have seen CPU creep on the master, but I'm using 2014.7
17:56 keltim sometimes i see that, yes
17:56 keltim do you restart minions periodically or anything like that?
17:56 ktosiek joined #salt
17:58 bVector http://imgur.com/fV3Umc4
17:58 bVector have to restart the master once every few weeks
17:59 bVector I made this edit in git_pillar https://github.com/saltstack/salt/pull/22962/files
17:59 keltim well, it's good to reboot instances at least that often anyway, if possible
18:00 [1]Dom joined #salt
18:02 solidsnack joined #salt
18:04 [1]Dom How to set the hostname of a new machine with salt-cloud?
18:05 bVector I think if you're using a map file you set the hostnames in there
18:06 bVector otherwise I think if you specify an arg to a command it gets added as the 'names' variable for the execution
18:07 [1]Dom So far I only used profiles to create new machines
18:07 bVector salt-cloud -p <profile> name_of_vm
18:08 [1]Dom How can I reference the 'names' variable?
18:08 bVector is what I'm seeing for bare profile syntax
18:10 bVector this is my map file: http://pastebin.com/tLD5KRp9
18:10 bVector its a bit overcomplicated, but it creates a syndic master under my original master, with three minions under the syndic
18:11 bVector the 'opts['names'][0]' is the names var that gets passed in as a command line variable
18:11 blacked joined #salt
18:11 bVector so if I run
18:11 bVector sudo salt-cloud -P -m /etc/salt/cloud.class.map funk
18:12 bVector I get "The following virtual machines are set to be created:   saltclass-master-funk  saltclass-minion2-funk  saltclass-minion1-funk  saltclass-minion3-funk"
18:13 [1]Dom I see, I think I can use that
18:14 bVector I used it yesterday to spin up about 40 ec2 t2.micros for a workshop I led :)
18:14 bVector glad someone else might get use out of it
18:16 echo joined #salt
18:18 markm joined #salt
18:18 georgemarshall joined #salt
18:24 bash124512 salt-ssh does not load local ssh config file ? :(
18:28 bVector bash124512: a great opportunity to write a ~/.ssh/config roster module :D
18:28 bVector http://docs.saltstack.com/en/latest/ref/roster/all/index.html#all-salt-roster
18:28 keltim have not looked at salt cloud in a long time. It's definitely comining along nicely .. is that what you work on bVector ?
18:29 keltim s/looked/played
18:29 bVector neh, just been playing with it for a couple weeks
18:29 keltim is it suitable to manage security groups at this point?
18:29 keltim because the AWS functionality around that is atrocious
18:29 bVector not sure, I've just used a single security group for everything
18:31 keltim well at least with salt-cloud we could enter an issue # or comment with the rules
18:34 bash124512 bVector : are you going to write it ? :D
18:35 tobias2 What would be the preferred way to bootstrap minions with only ssh access? salt-ssh with a state that installs the needed packages or using salt-cloud? Feels a bit heavy to specify credentials in a file since we're only going to use it for the initial bootstrap.
18:35 bVector bash124512: sure thing, let me send over my consulting pricelist :O
18:36 bVector tobias2: salt-cloud I think uses salt-ssh with the bootstrap script
18:37 amcorreia_ joined #salt
18:37 tobias2 The main gripe I have with salt-ssh is that --extra_refs don't work with gitfs backend which excludes salt-formula from git.
18:38 tobias2 salt-cloud uses the saltify provider but it's possible it uses the same salt-ssh behind the scenes
18:38 bVector most likely
18:39 otter768 joined #salt
18:40 bash124512 bVector : Luckily for me there is something written but does not work for some reason.
18:40 bash124512 _get_config_file in ssh.py module
18:43 bVector I only see that used to open the authorized_keys file and known_hosts
18:43 bash124512 bah nvm, my mistake
18:44 fusionx86 joined #salt
18:49 yomilk joined #salt
18:53 blacked joined #salt
18:58 bVector anyone know why send message isnt part of aws_sqs module?
19:00 bhosmer_ joined #salt
19:13 blacked joined #salt
19:14 zemm joined #salt
19:15 ktosiek joined #salt
19:22 [1]Dom @bVector: Thanks for the snipper earlier, works like a charm ;)
19:23 JayFK joined #salt
19:28 bVector nice :D
19:38 seblu joined #salt
19:38 bash124512 bVector : config file loading for salt-ssh works fine :)
19:39 bVector whatd you do
19:40 bash124512 nothin
19:40 bash124512 It does take a lot of time to execute a command though
19:46 bhosmer_ joined #salt
19:49 catpig joined #salt
19:51 stoogenmeyer joined #salt
19:57 JlRd joined #salt
20:01 bfoxwell joined #salt
20:02 tmclaugh[work] joined #salt
20:03 badon joined #salt
20:05 _2_ash joined #salt
20:06 ndrei joined #salt
20:08 _2_ash left #salt
20:15 salty_to_the_cor joined #salt
20:15 salty_to_the_cor is there any way to make __salt__ available in minion.py?
20:16 salty_to_the_cor i dont see that context being available in minion.py
20:17 salty_to_the_cor i am trying to check if any other salt process is running
20:21 devops8394 joined #salt
20:24 thayne joined #salt
20:25 devops8394 Is it possible to update the default values of ’install_recommends’ and ‘skip_suggestions’ in salt.states.pkg?
20:33 JDiPierro joined #salt
20:33 [1]Dom I simply put this http://pastebin.com/L6RKBnhN into /etc/apt/apt.conf
20:33 ktosiek joined #salt
20:34 [1]Dom but there is also a "install_recommends" option for pkg.installed see here http://docs.saltstack.com/en/latest/ref/states/all/salt.states.pkg.html#module-salt.states.pkg
20:35 [1]Dom there's also: skip_suggestions as an option
20:35 yomilk joined #salt
20:39 gthank joined #salt
20:40 gthank joined #salt
20:40 vstoniest joined #salt
20:40 kossy joined #salt
20:40 InAnimaTe joined #salt
20:41 Gareth joined #salt
20:41 devops8394 This is how I'm currently doing it: http://pastebin.com/fL4PnW0p
20:42 devops8394 How would you do this so you don't have to explicitly include those options everytime you use salt.states.pkg
20:42 blacked joined #salt
20:42 pdayton joined #salt
20:48 yomilk joined #salt
20:56 radd joined #salt
20:57 keimlink joined #salt
20:58 duckx joined #salt
20:58 duckx Hello everyone
20:59 duckx I would like to solve an architecture issue with salt, I did not find a good way around yet
21:00 duckx My team currently administrates around 500 servers with the great help of salt
21:00 babilen devops8394: You can't, but it shouldn't be too hard to generate those in a loop. I would, however, strongly recommend against "refresh: True" for every pkg.installed
21:00 duckx So right now I have a single master with all minion directly connected to it
21:01 babilen devops8394: If you *really* want to hardcode those options copy aptpkg.py to _modules and change the defaults
21:02 babilen err, pkg.py to _states in this case naturallyu
21:03 babilen devops8394: suggested packages aren't installed by default anyway and for recommends you can deploy a suitable apt configuration file
21:14 babilen duckx: and?
21:15 Hell_Fire_ joined #salt
21:24 duckx sorry
21:24 duckx I was taken by ... a phone call
21:25 duckx I would like to delegate the administration of state to foreign teams
21:25 duckx With limited rights
21:26 duckx So far my equation goes with environments + active directory authentication + git repositories
21:27 duckx But I do not know how to solve this
21:27 duckx My plan right now is to create accounts to my salt administration box
21:28 duckx Give the rights to a special git repository to a foreign team
21:29 duckx Map the git space to a special env (For example web-env)
21:30 duckx And allow them to apply their own developped states to their set of machines ....
21:30 duckx Well that's basicaly the idea, but I do not know if this is a right way to do ....
21:31 duckx To make it evern more simple: I got two foreign team ready to play with salt
21:31 duckx But I can't give them acces to my main environment
21:32 duckx Has anyone the same kind of environment / constraints ?
21:33 duckx Could syndic help me ?
21:34 duckx babilen: ?
21:34 duckx ;)
21:36 hellome joined #salt
21:37 zircote joined #salt
21:47 duckx Well, I think I am going to play with gitfs first a bit
21:47 gumbyyyyy joined #salt
21:47 bhosmer joined #salt
21:47 duckx It will may be help me to find out a solutio
21:48 jcockhren duckx: still around?
21:49 yomilk joined #salt
21:49 duckx yes I am
21:49 jcockhren duckx: give them their own repo. then in your top file makes sure their states target only their machines
21:50 jcockhren this will prevent them from seeing/using states you don't want them too
21:50 duckx How do they use salt then ?
21:50 duckx Using salt call directly from their servers ?
21:50 jcockhren for example: use a compound matcher to exclude them from your base states
21:51 jcockhren salt-api maybe.
21:51 jcockhren in the ACL you can set what they hace access to
21:51 jcockhren have
21:51 duckx ACL are reserved to salt-api ?
21:52 duckx I did not give a look at salt API yet
21:52 jcockhren granted, you'll have to use a version of salt that supports more than just pam external auth
21:52 jcockhren nah. the ACLs are for any type of execution
21:52 duckx What do you mean by 'exclude them from your base states' ?
21:52 duckx I do not see how you may implement this
21:52 jcockhren for example, let's say you provide them the machines
21:53 duckx Let say machine a,b and c
21:53 jcockhren on their machines (those machines are minions) set a grain like 'internal:no' or something
21:54 duckx Ok so far I follow
21:54 jcockhren then in yout top file use a compound matcher to exclude them from the stuffs like: '* and not G@internal:no'
21:55 jcockhren then there will be states that they want/need would be like: 'internal:no' with a grain matcher
21:55 duckx I should have miss anderstood the use of top files
21:55 duckx I thought it was just to map states with hosts
21:55 duckx In case you use state.highstate calls
21:56 jcockhren top files are specifically enabling or disbaling the distrubution of states and pillars to a set of minion
21:56 jcockhren in your example, you can ensure that your production states aren't even sent to machines a, b, c
21:56 duckx Hmm, never used them to disable stuff
21:56 duckx jcockhren: ok that a good trick
21:57 duckx Well I think you are right
21:57 jcockhren topology-wise, you could set up a syndic
21:57 jcockhren that syndic will also run a salt-master process
21:57 duckx Well documentation on the syndic is not crystal clear ...
21:58 jcockhren syndic is only for passthrough commands from your prod to the lowest machines (a, b, c)
21:58 duckx At least regarding the file_root, and how it is filed
21:58 duckx What could be perfect
21:58 jcockhren relative to machines a, b, c, it's a regular ol' salt-master
21:58 kaos01 joined #salt
21:59 jcockhren syndic allows you to pass commands to a, b, c through you top level master
21:59 duckx Using a syndic
21:59 jcockhren s/you/your/
21:59 jcockhren that's really it.
21:59 duckx Can I use the master-master states, even if they do not exist on the syndic host ?
22:00 jcockhren yeah. that requires you running a salt-minion process on the syndic as well
22:00 duckx Hmm ....
22:00 jcockhren otherwise your top level master won't see the syndic. it needs to treat the syndic as a minion
22:00 duckx So I could setup a salt-master syndic version for my teams
22:01 jcockhren but b/c you're running syndic, you can also see a, b, c as minions
22:01 jcockhren yeps
22:01 jcockhren :)
22:01 duckx And apply the master-master states on all my minions including a,b and c
22:02 duckx how do the file_root overlap ?
22:03 jcockhren merges
22:03 duckx Ah ah
22:03 jcockhren ideally, you won't exactly need to define file_roots in the syndic
22:04 duckx But my teams could be able to manage their state source trees directly on those syndic masters right ,
22:04 duckx ??
22:05 jcockhren your top file on your top level master takes care out that b/c it can see your syndic (as a minion) and machines a, b, & c (b/c the syndic is running)
22:05 jcockhren no
22:06 jcockhren I guess they "could" but honestly I haven't tested merging top-level file_roots with custom file roots on syndics
22:06 jcockhren I wouldn't even bother
22:06 jcockhren jus sayin
22:06 jcockhren ;)
22:06 duckx So the teams should develop on the master-master
22:06 duckx And run their salt-call on the syndic right ?
22:06 jcockhren this is because a,b & c and gets their states from the top level master
22:07 jcockhren not salt-call
22:07 jcockhren just salt
22:07 jcockhren like it's amaster
22:07 jcockhren a* master
22:07 duckx Sorry salt    space  calll
22:07 duckx ;)
22:07 jcockhren like
22:07 jcockhren salt 'a' state.highstate
22:07 jcockhren on the syndic
22:08 jcockhren the syndic can only 'see' a, b and c
22:08 c10 joined #salt
22:08 duckx Sounds perfectly what I expect
22:08 jcockhren and the states come from the top-level master with merges the gitfs for their repo
22:09 duckx I definitevely need to test that tomorrow
22:10 jcockhren yeps
22:10 duckx Thx for the great help jcockhren
22:10 jcockhren no prob
22:10 duckx I assume a should only be on the syndic
22:10 duckx And not on the master-master
22:11 duckx Avoiding kind of a double registration right ?
22:11 kaos01 hi, how doe sone manage a directry with salt ?
22:12 duckx kaos01: file.directory ?
22:12 kaos01 does that give the ability to remove unmanaged files ?
22:12 kaos01 sorry new never even used salt
22:12 kaos01 except for dinner :P
22:12 duckx No problem kaos01
22:12 zircote joined #salt
22:13 duckx Well I always got the documentation for salt open
22:13 nocturn joined #salt
22:14 duckx jcockhren: I'll get back to you with my success story tomorrow if I can ;)
22:14 kaos01 i was more wodering if one can truly manage all files in directory ...  i.e. salt is aware of which files are managed
22:14 kaos01 like in puppet
22:14 jcockhren duckx: cool. I'll be around
22:16 Not_ joined #salt
22:17 kaos01 so if someone say drops a file into directory and its not managed by salt it can be deleted
22:21 tmclaugh[work] joined #salt
22:30 mosen joined #salt
22:35 yomilk joined #salt
22:53 Singularo joined #salt
23:00 khaije|io joined #salt
23:01 khaije|io does Salt have an opinion on any metal provisioning solution?
23:01 khaije|io opinion a/o preference
23:07 solidsnack joined #salt
23:12 ageorgop joined #salt
23:13 vieira kaos01: does "clean" in file.recurse behaves as you want?
23:15 kaos01 vieira no idea not using salt, just curious about some things :)
23:15 kaos01 before i give it a go
23:16 kaos01 i know ansible doesnt offer a option to "manage a directory" but rather you need to do some other things liek rsync/git
23:20 ajw0100 joined #salt
23:23 blacked joined #salt
23:23 fllr joined #salt
23:25 dendazen joined #salt
23:28 zircote joined #salt
23:29 MatthewsFace joined #salt
23:41 Morbus joined #salt
23:48 bhosmer joined #salt
23:51 yomilk joined #salt
23:57 c10 joined #salt

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary